|
SAROS, gusano italiano infecta masivamente vía Correo, Peer to Peer,
ICQ y canales de Chat, etc.
|
|
©
Jorge Machado Lima-Perú
|
|
W32/Saros@mm, I.worm.saros@mm
 |
|
Saros, gusano creado
por un miembro de orígen italiano, del grupo internacional GEDZAC 2004,reportado el
06 de Agosto del 2004, de alta propagación masiva
a través de mensajes de correo con el archivo MSOutlookInternetUpdate.exe.
Se difunde además vía la mayoría de redes
Peer to Peer, la mensajería ICQ y
el IRC (Internet
Chat Relay).
Es un PE
(Portable Ejecutable) e infecta Windows
95/98/NT/Me/2000/XP,
incluyendo los servidores NT/2000/Server
2003
Tiene 48 KB de extensión, está desarrollado en MS
Visual C++ y comprimido con el utilitario UPX (Ultimate
Packer
for eXecutables):
http://upx.sourceforge.net
Libera un componente Visual Script
que manipula las librerías MAPI
(Messaging
Application Programming Interface)
y se
envía a todos los buzones de correo de la Libreta de Direcciones de
MS Outlook
y a la Libreta Global de Windows WAB
(Windows Address Book).
|
El mensaje tiene las
siguientes características:
- Remitente: dirección extraída de los sistemas infectados.
- Asunto: Microsoft Outlook News
- Contenido: Microsoft Outlook
Update / Bug Fixed - Contact: support@microsoft.com
- Anexado: MSOutlookInternetUpdate.exe
Al ejecutarse el archivo, el gusano muestra
el logo:
Seguido de una falsa caja de diálogo:
Luego se auto-copia a la carpeta
%System% con los siguientes nombres:
- Love-ScreenSaver.scr
- MSOutlookInternetUpdate.exe
- NonYou.exe
%System%
es la variable C:\Windows\System para
Windows 95/98/Me, C:\Winnt\System32 para
Windows NT/2000 y C:\Windows\System32
para Windows XP y Windows Server 2003.
Libera el archivo About.hta que muestra el
siguiente mensaje:
GEDZAC Labs
2004
Have a nice Program for You
NonYou
Coded by Sarosoft
Dedicated to my Love Rosy |
Del mismo modo lo hace con el archivo NSTDNRDLL32.VBS,
un componente VBS que controla su propagación masiva a través de mensajes de
Correo.
Finalmente libera una copia de sí mismo en
la ruta:
%Windir%\mIRC\Tdll32.dll
Este archivo modificará el SCRIPT.INI
que enviará este mensaje a todos los usuarios que se conecten a cualquier
canal del IRC
(Internet Chat Relay):
| "Love Screen Saver :-D Download it! It's funny!
http://mx.geocities.com/ocpamir/screensaver/Love-ScreenSaver.zip" |
Para infectar a través de las redes Peer
to Peer, el gusano se auto-copia a las correspondientes carpetas con
los siguientes nombres de archivos:
- Program Files\Kazaa\My Shared
Folder\Rosy.exe
- Program Files\Kazaa\My Shared
Folder\Pipponoto.exe
- Program Files\Kazaa\My Shared
Folder\Anastacia - Left Outside Alone.mp3.exe
- Program Files\Kazaa\My Shared Folder\The
Rasmus - In The Shadows.mp3.exe
- Program Files\Kazaa\My Shared Folder\50 Cent
- In da Club.mp3.exe
- Program Files\Kazaa\My Shared Folder\Vanessa
Carltron - Ordinary Day.mp3.exe
- Program Files\Kazaa\My Shared
Folder\Haiducii - Dragostea Din Tei.mp3.exe
- Program Files\Kazaa\My Shared Folder\Black
Eyed Peas - Hey Mama.mp3.exe
- Program Files\Kazaa\My Shared Folder\Raf -
In tutti i miei giorni.mp3.exe
- Program Files\Kazaa\My Shared Folder\Vasco
Rossi - Buoni e cattivi.mp3.exe
- Program Files\Kazaa\My Shared Folder\Lionel
Richie - Just For You.mp3.exe
- Program Files\Kazaa Lite\My Shared
Folder\Rosy.exe
- Program Files\Kazaa Lite\My Shared
Folder\Pipponoto.exe
- Program Files\Kazaa Lite\My Shared
Folder\Anastacia - Left Outside Alone.mp3.exe
- Program Files\Kazaa Lite\My Shared
Folder\The Rasmus - In The Shadows.mp3.exe
- Program Files\Kazaa Lite\My Shared Folder\50
Cent - In da Club.mp3.exe
- Program Files\Kazaa Lite\My Shared
Folder\Vanessa Carltron - Ordinary Day.mp3.exe
- Program Files\Kazaa Lite\My Shared
Folder\Haiducii - Dragostea Din Tei.mp3.exe
- Program Files\Kazaa Lite\My Shared
Folder\Black Eyed Peas - Hey Mama.mp3.exe
- Program Files\Kazaa Lite\My Shared
Folder\Raf - In tutti i miei giorni.mp3.exe
- Program Files\Kazaa Lite\My Shared
Folder\Vasco Rossi - Buoni e cattivi.mp3.exe
- Program Files\Kazaa Lite\My Shared
Folder\Lionel Richie - Just For You.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Rosy.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Pipponoto.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Anastacia - Left Outside Alone.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\The Rasmus - In The Shadows.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\50 Cent - In da Club.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Vanessa Carltron - Ordinary Day.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Haiducii - Dragostea Din Tei.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Haiducii - Dragostea din tei.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Raf - In tutti i miei giorni.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Vasco Rossi - Buoni e cattivi.mp3.exe
- Program Files\Kazaa Lite K++\My Shared
Folder\Lionel Richie - Just For You.mp3.exe
- Program Files\ICQ\Shared Folder\Rosy.exe
- Program Files\ICQ\Shared
Folder\Pipponoto.exe
- Program Files\ICQ\Shared Folder\Anastacia -
Left Outside Alone.mp3.exe
- Program Files\ICQ\Shared Folder\The Rasmus -
In The Shadows.mp3.exe
- Program Files\ICQ\Shared Folder\50 Cent - In
da Club.mp3.exe
- Program Files\ICQ\Shared Folder\Vanessa
Carltron - Ordinary Day.mp3.exe
- Program Files\ICQ\Shared Folder\Haiducii -
Dragostea Din Tei.mp3.exe
- Program Files\ICQ\Shared Folder\Black Eyed
Peas - Hey Mama.mp3.exe
- Program Files\ICQ\Shared Folder\Raf - In
tutti i miei giorni.mp3.exe
- Program Files\ICQ\Shared Folder\Vasco Rossi
- Buoni e cattivi.mp3.exe
- Program Files\ICQ\Shared Folder\Lionel
Richie - Just For You.mp3.exe
- Program Files\Grokster\My Grokster\Rosy.exe
- Program Files\Grokster\My
Grokster\Pipponoto.exe
- Program Files\Grokster\My Grokster\Anastacia
- Left Outside Alone.mp3.exe
- Program Files\Grokster\My Grokster\The
Rasmus - In The Shadows.mp3.exe
- Program Files\Grokster\My Grokster\50 Cent -
In da Club.mp3.exe
- Program Files\Grokster\My Grokster\Vanessa
Carltron - Ordinary Day.mp3.exe
- Program Files\Grokster\My Grokster\Haiducii
- Dragostea Din Tei.mp3.exe
- Program Files\Grokster\My Grokster\Black
Eyed Peas - Hey Mama.mp3.exe
- Program Files\Grokster\My Grokster\Raf - In
tutti i miei giorni.mp3.exe
- Program Files\Grokster\My Grokster\Vasco
Rossi - Buoni e cattivi.mp3.exe
- Program Files\Grokster\My Grokster\Lionel
Richie - Just For You.mp3.exe
- Program Files\Bearshare\Shared\Rosy.exe
- Program Files\Bearshare\Shared\Pipponoto.exe
- Program Files\Bearshare\Shared\Anastacia -
Left Outside Alone.mp3.exe
- Program Files\Bearshare\Shared\The Rasmus -
In The Shadows.mp3.exe
- Program Files\Bearshare\Shared\50 Cent - In
da Club.mp3.exe
- Program Files\Bearshare\Shared\Vanessa
Carltron - Ordinary Day.mp3.exe
- Program Files\Bearshare\Shared\Haiducii -
Dragostea Din Tei.mp3.exe
- Program Files\Bearshare\Shared\Black Eyed
Peas - Hey Mama.mp3.exe
- Program Files\Bearshare\Shared\Raf - In
tutti i miei giorni.mp3.exe
- Program Files\Bearshare\Shared\Vasco Rossi -
Buoni e cattivi.mp3.exe
- Program Files\Bearshare\Shared\Lionel Richie
- Just For You.mp3.exe
- Program Files\eDonkey2000\Incoming\Rosy.exe
- Program Files\eDonkey2000\Incoming\Pipponoto.exe
- Program Files\eDonkey2000\Incoming\Anastacia
- Left Outside Alone.mp3.exe
- Program Files\eDonkey2000\Incoming\The
Rasmus - In The Shadows.mp3.exe
- Program Files\eDonkey2000\Incoming\50 Cent -
In da Club.mp3.exe
- Program Files\eDonkey2000\Incoming\Vanessa
Carltron - Ordinary Day.mp3.exe
- Program Files\eDonkey2000\Incoming\Haiducii
- Dragostea Din Tei.mp3.exe
- Program Files\eDonkey2000\Incoming\Black
Eyed Peas - Hey Mama.mp3.exe
- Program Files\eDonkey2000\Incoming\Raf - In
tutti i miei giorni.mp3.exe
- Program Files\eDonkey2000\Incoming\Vasco
Rossi - Buoni e cattivi.mp3.exe
- Program Files\eDonkey2000\Incoming\Lionel
Richie - Just For You.mp3.exe
- Program Files\eMule\Incoming\Rosy.exe
- Program Files\eMule\Incoming\Pipponoto.exe
- Program Files\eMule\Incoming\Anastacia -
Left Outside Alone.mp3.exe
- Program Files\eMule\Incoming\The Rasmus - In
The Shadows.mp3.exe
- Program Files\eMule\Incoming\50 Cent - In da
Club.mp3.exe
- Program Files\eMule\Incoming\Vanessa
Carltron - Ordinary Day.mp3.exe
- Program Files\eMule\Incoming\Haiducii -
Dragostea Din Tei.mp3.exe
- Program Files\eMule\Incoming\Black Eyed Peas
- Hey Mama.mp3.exe
- Program Files\eMule\Incoming\Raf - In tutti
i miei giorni.mp3.exe
- Program Files\eMule\Incoming\Vasco Rossi -
Buoni e cattivi.mp3.exe
- Program Files\eMule\Incoming\Lionel Richie -
Just For You.mp3.exe
- Program Files\Morpheus\My Shared
Folder\Rosy.exe
- Program Files\Morpheus\My Shared
Folder\Pipponoto.exe
- Program Files\Morpheus\My Shared
Folder\Anastacia - Left Outside Alone.mp3.exe
- Program Files\Morpheus\My Shared Folder\The
Rasmus - In The Shadows.mp3.exe
- Program Files\Morpheus\My Shared Folder\50
Cent - In da Club.mp3.exe
- Program Files\Morpheus\My Shared
Folder\Vanessa Carltron - Ordinary Day.mp3.exe
- Program Files\Morpheus\My Shared
Folder\Haiducii - Dragostea Din Tei.mp3.exe
- Program Files\Morpheus\My Shared
Folder\Black Eyed Peas - Hey Mama.mp3.exe
- Program Files\Morpheus\My Shared Folder\Raf
- In tutti i miei giorni.mp3.exe
- Program Files\Morpheus\My Shared
Folder\Vasco Rossi - Buoni e cattivi.mp3.exe
- Program Files\Morpheus\My Shared
Folder\Lionel Richie - Just For You.mp3.exe
- Program Files\LimeWire\Shared\Rosy.exe
- Program Files\LimeWire\Shared\Pipponoto.exe
- Program Files\LimeWire\Shared\Anastacia -
Left Outside Alone.mp3.exe
- Program Files\LimeWire\Shared\The Rasmus -
In The Shadows.mp3.exe
- Program Files\LimeWire\Shared\50 Cent - In
da Club.mp3.exe
- Program Files\LimeWire\Shared\Vanessa
Carltron - Ordinary Day.mp3.exe
- Program Files\LimeWire\Shared\Haiducii -
Dragostea Din Tei.mp3.exe
- Program Files\LimeWire\Shared\Black Eyed
Peas - Hey Mama.mp3.exe
- Program Files\LimeWire\Shared\Raf - In tutti
i miei giorni.mp3.exe
- Program Files\LimeWire\Shared\Vasco Rossi -
Buoni e cattivi.mp3.exe
- Program Files\LimeWire\Shared\Lionel Richie
- Just For You.mp3.exe
- Program Files\Tesla\Files\Rosy.exe
- Program Files\Tesla\Files\Pipponoto.exe
- Program Files\Tesla\Files\Anastacia - Left
Outside Alone.mp3.exe
- Program Files\Tesla\Files\The Rasmus - In
The Shadows.mp3.exe
- Program Files\Tesla\Files\50 Cent - In da
Club.mp3.exe
- Program Files\Tesla\Files\Vanessa Carltron -
Ordinary Day.mp3.exe
- Program Files\Tesla\Files\Haiducii -
Dragostea Din Tei.mp3.exe
- Program Files\Tesla\Files\Black Eyed Peas -
Hey Mama.mp3.exe
- Program Files\Tesla\Files\Raf - In tutti i
miei giorni.mp3.exe
- Program Files\Tesla\Files\Vasco Rossi -
Buoni e cattivi.mp3.exe
- Program Files\Tesla\Files\Lionel Richie -
Just For You.mp3.exe
- Program Files\WinMX\Shared\Rosy.exe
- Program Files\WinMX\Shared\Pipponoto.exe
- Program Files\WinMX\Shared\Anastacia - Left
Outside Alone.mp3.exe
- Program Files\WinMX\Shared\The Rasmus - In
The Shadows.mp3.exe
- Program Files\WinMX\Shared\50 Cent - In da
Club.mp3.exe
- Program Files\WinMX\Shared\Vanessa Carltron
- Ordinary Day.mp3.exe
- Program Files\WinMX\Shared\Haiducii -
Dragostea Din Tei.mp3.exe
- Program Files\WinMX\Shared\Black Eyed Peas -
Hey Mama.mp3.exe
- Program Files\WinMX\Shared\Raf - In tutti i
miei giorni.mp3.exe
- Program Files\WinMX\Shared\Vasco Rossi -
Buoni e cattivi.mp3.exe
- Program Files\WinMX\Shared\Lionel Richie -
Just For You.mp3.exe
Si la fecha del sistema es 11 o 23, Saros
muestra dos mensajes, siendo el principal:
NonYou
Rosy Ti Amo - Saro & Rosy Forever
Gedzac Group 2004
NonYou.a Gedzac Labs Productions
Coded by Sarosoft - Dedicated to my Love Rosy
Gedzac Group 2004 - http://www.gedzac.tk
Gedzac
The Virus Crew |
En las mismas fechas el gusano modifica la
página de inicio configurada por
defecto, por el enlace:
http://www.gedzac.tk
El gusano vulnera la seguridad de
configuración de Microsoft Outlook y
remueve el archivo anexado del mensaje con extensión .EXE,
agregando las siguientes llaves de registro:
[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Outlook\Security]
"Level1Remove" = "exe"
[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Security]
"Level1Remove" = "exe"
[HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security]
"Level1Remove" = "exe"
Finalmente se conecta a http://www.windowsupdate.com
para capturar información, aunque sin lograr sus objetivos.
Los payloads
de este gusano son:
- Se propaga masivamente en mensajes de
correo, con un archivo MSOutlookInternetUpdate.exe.
- Usa Remitentes extraídos de la
Libreta de Direcciones de MS Outlook y la Libreta Global de Windows.
- Ha sido desarrollado en México por un
miembro del grupo de hackers internacionales GEDZAC.
- Muestra diversas pantallas y cajas de
diálogo.
- Infecta a través de la mayoría de redes
Peer to Peer.
- Se propaga además a través del ICQ y de
canales de Chat.
- Vulnera la seguridad de MS Outlook.
- Modifica la página de Inicio de MS Internet
Explorer.
- Intenta extraer información del portal de
Actualizaciones de Microsoft Windows.
PER
ANTIVIRUS®
versión 8.8 con
registro de virus al 06 de Agosto del 2004 detecta y elimina
eficientemente este gusano.
